Check online to see if your e-mail details were leaked

Unknown programmer sets up database that includes over half a million S'pore accounts

Lester Hio
on 24 Apr 2018

The Straits Times

Share

Be warned, if you were a LinkedIn, Yahoo Mail or Dropbox user during the first half of the decade.

The e-mail accounts and passwords used to log into those websites are still circulating around the Internet, years after the sites were compromised and had their user data leaked online.

More than half a million Singapore accounts were exposed, and are now in plain text for anyone to access and see.

An anonymous programmer has set up a searchable database for users to check if their e-mail addresses are among them.

The entire database contains about 1.4 billion accounts in total, consolidated through various breaches since 2014.

These are all sourced from high-profile breaches like the LinkedIn breach in 2016 that saw 6.5 million accounts compromised, and the Yahoo breach in the same year that hit more than a billion user accounts.

Among the compromised accounts are 535,901 e-mail addresses which end with a ".sg" domain, which suggest they belong to users here.

The bulk of them - more than 300,000 - are Yahoo Singapore accounts, followed by SingNet and Microsoft Live e-mail addresses. Other local e-mail domains include those of universities, hospitals, banks and government agencies.

But experts say it is likely that the actual number of breached Singaporean accounts is higher than half a million.

Local users may have also used general domain names such as an e-mail that ends with ".com".

The Straits Times was alerted to this database by an anonymous tipster who sent an e-mail of 500 unencrypted e-mail addresses and passwords exposed in plain text.

Signing off as "d0gberry", the tipster said he set up this searchable database after discovering his own credentials had been breached and were circulating online.

"I received an alert that one of my accounts was used to send spam on my behalf and that's how I was triggered to study this," he said.

It took him only half an hour to locate a 9GB file circulating on the Internet containing a list of e-mail addresses and unencrypted passwords.

The Cyber Security Agency of Singapore (CSA) and Government Technology Agency of Singapore (GovTech) said in a joint statement that given the number of large-scale data breaches and cyber attacks in recent years, it is not unusual for stolen credentials exposed on the Internet to be found by those looking for it.

While there were some e-mail domains belonging to government agencies in the database, the CSA and GovTech said there has been no evidence that the details there have been linked to any compromise of any government systems.

"Since 2015, public officers are not permitted to use their corporate e-mail addresses to sign onto non-government websites and social media platforms for personal purposes," said both agencies.

"The Government will continue to monitor the global cyber-threat situation to calibrate our cyber-security policies and guidelines accordingly," they added.

The tipster said he set up the website, named gotcha.pw, to help users find out if their account information is still online.

It is similar to "haveibeenpwned", which was created by Australian Web security expert Troy Hunt in 2013. This website also informs them which website was responsible for the leak.

ST was able to confirm the authenticity of the breached passwords in the Gotcha database by checking them against several of the victims.

One of them, a 28-year-old analyst who declined to be named, said companies that have been breached should have a moral responsibility to monitor such information dumps, even if some time has passed since the breach, and to pressure websites to remove the information dumps.

Experts advise users not to reuse the same passwords on multiple sites, and change passwords immediately if they are notified of a breach.

"Those who have had their information stolen in a data breach are even more likely to become victims of identity fraud," said Mr Sherif El-Nabawi, senior director for systems engineering at Symantec Asia-Pacific.

The views, material and information presented by any third party are strictly the views of such third party. Without prejudice to any third party content or materials whatsoever are provided for information purposes and convenience only. Council For The Third Age shall not be responsible or liable for any loss or damage whatsoever arising directly or indirectly howsoever in connection with or as a result of any person accessing or acting on any information contained in such content or materials. The presentation of such information by third parties on this Council For The Third Age website does not imply and shall not be construed as any representation, warranty, endorsement or verification by Council For The Third Age in respect of such content or materials.